Microsoft Systems Management Server 2.0 Training Kit

[Previous] [Next]
After this lesson, you will be able to Estimated Completion Time: 40 minutes

The SMS 2.0 CD-ROM includes the Network Monitor console application and the Network Monitor Agent version 2 for Windows NT/2000. The console provides the user interface for viewing traffic on the network. Figure 7-6 shows the Network Monitor interface and how the Network Monitor captures packets from local and remote segments.

Figure 7-6. Monitoring local and remote segments.

Installation of the Network Monitor varies depending on the operating system. The Network Monitor and Network Monitor Agent version 2 driver are installed through the SMS 2.0 Setup program, or after installation by running SETUP.EXE from the \NMEXT directory on the SMS 2.0 installation CD-ROM. The Windows 2000 installation CD-ROM includes the Network Monitor Agent version 2 driver. Monitors and experts are included in the version of Network Monitor bundled with SMS 2.0.

Windows 95/98 and Windows for Workgroups can run previous versions of Network Monitor, but may not run the version of Network Monitor or the Network Monitor Agent version 2 included with SMS 2.0. On Windows 95/98 computers, Network Monitor is installed through a setup program contained on SMS version 1.2 CD-ROM in the \NMEXT\DISK1 directory. The agent driver is installed as a network component in the Windows 95/98 Network dialog box from the Windows 95/98 installation CD-ROM.

The SMS 1.1 CD-ROM contains the \NMEXT\DISK1 directory, which can be used to install the Network Monitor on a Windows for WorkGroups computer. After installing the Network Monitor, the Win32s components must be reinstalled for the Network Monitor to function properly.

NOTE


The versions of Network Monitor for Windows for Workgroups and for Windows 95/98 do not include Experts or the Network Monitor Control Tool.

Starting Network Monitor

There are three ways to start Network Monitor and the Network Monitor Control Tool: by selecting Network Monitor or the Network Monitor Control Tool from the Tools node in the SMS Administrator console; by selecting one of the shortcut icons in the SMS program group; or by using the Windows NT command line `Start' option. The syntax for the Network Monitor command is:

netmon [options]

Network Monitor and the Network Monitor Control Tool are found in the \SMS\NETMON\platform directory on site servers. If the SMS Network Monitor is installed on a non-site server, it is found in the \SMSADMIN\ NETMON\platform directory. There are number of command line options that can be specified when running netmon from the command prompt. For example, start netmon /remote:nts2 instructs Network Monitor to find and use the computer named NTS2 to capture packets using the Network Monitor Agent driver. Other command line options are listed in the Network Monitor help file under the page titled "Start Network Monitor from a Command Line."

The command line command that runs the Network Monitor Control Tool is:

mcsui

NOTE


There is no need to type start before the netmon or mcsui command, as specified in the help documents included with SMS 2.0.

Configuring Network Monitor Security

Network monitoring, commonly referred to as packet sniffing, exposes data in frames that are traversing the network. Unauthorized use of the Network Monitor to collect and examine network data compromises the security of the network. Previous versions of the Network Monitor Agent driver included password security to control who could use the agent to collect frames. In SMS 2.0, running Network Monitor is controlled centrally using the Security Monitor. Security Monitor is one of the monitors included with the Network Monitor Control Tool.

When Network Monitor is running, the Network Monitor Agent driver broadcasts a security packet stating that it is running. If a computer running the Network Monitor has not been included on the Security Monitor Configuration page (Figure 7-7), Security Monitor sends a frame to the computer running the agent driver that forces the Network Interface Card (NIC) out of promiscuous mode. The Network Monitor Agent driver then empties the local capture buffer and destroys the capture file.

To configure the security monitor, start the Network Monitor Control Tool and select Security Monitor (labeled 1 in Figure 7-7). After enabling the Security Monitor, select it from the `Enabled Monitors' box (2). Click the Configure button (3) to display the Configure Security Monitor 1 dialog box. Add NIC hardware addresses to the `Valid MAC Addresses' box (4).

Figure 7-7. Configuring Security Monitor from the Network Monitor Control Tool.

Security Monitor watches for security packets from all instances of the Network Monitor Agent driver on the local network segment. To monitor unauthorized attempts to capture network data on remote segments, ensure that an instance of Security Monitor is running on each network segment.

Capturing and Displaying Frames

The Network Monitor user interface is divided into four sections as shown in Figure 7-8 and described next.

Figure 7-8. The Network Monitor application displaying frame statistics.

Network Monitor automatically builds an address database of "friendly names" to help identify individual stations. Captures are filtered based on computer address (or address pairs), protocols, or data patterns within the frame. These friendly names appear in the session statistics, and station statistics sections in place of the network adapter card addresses. For example, in Figure 7-8 the computer named NTS2 is displayed with its NetBIOS computer name.

Creating Filters and Triggers

Filtering can be used before a capture is initiated and after the capture has been completed. Filters configured before a capture begins are called capture filters. Filters configured after data has been captured are called display filters.

Filters are defined in the Capture Filter dialog box, as shown in Figure 7-9. This dialog box is accessed from the Capture menu, `Filters' option in Network Monitor.

Figure 7-9. The Capture Filter dialog box in Network Monitor.

When `SAP/ETYPE = Any SAP or Any ETYPE' is selected, you use the edit button to enable or disable protocol level captures. When '(Address Pairs)' is selected, you filter network traffic between specific NICs or computers in the network and choose in which direction traffic should be filtered, whether in one direction or in both directions. If you select the '(Pattern Matches)' option, you filter which packets are collected to meet a specific pattern in Hex or ASCII, and you fine-tune the pattern match by selecting a specific position within the packets to query for. This type of highly defined pattern match is called a packet offset.

Triggers are created in the Capture Trigger dialog box, as shown in Figure 7-10. When a certain condition, or a set of conditions, defined for the capture trigger is met, the trigger can stop the capture and run a program or batch file. Figure 7-10 shows which events cause the execution of a trigger, and the result when a trigger condition has been met.

Figure 7-10. The Capture Trigger dialog box in Network Monitor.

Triggers can also be set for remote networks using the Windows NT Network Monitor Agent driver. If the trigger involves running a program or a batch file, the execution will be invisible to users of the remote system. Execute Command Line triggers set on a remote capture always run on the remote system.

Viewing Captured Data

When viewing captured data, the Summary window (Figure 7-11) displays a summary of all frames captured. A display filter can be set to filter frames of interest, such as those from a particular host or those using a particular protocol. Colors can be added to highlight specific frames.

Figure 7-11. The Network Monitor Capture Summary window.

The Network Monitor Capture Summary window has three panes. The toolbar's Zoom tool can be used to maximize or reduce each pane. To view all three panes simultaneously, double-click any frame.

Printing and Saving Data

Captures can be printed in summary or expanded mode, printing all, or a range, of frames. In addition, captured data can be saved for viewing at a later time.

NOTE


For additional information on SMS Network Monitor, view the online Network Monitor help file (NETMON2.CHM). For additional information on the Monitor Control Tool, view the Monitor Control Tool online help file (MCSUI.CHM).

Exercise 40: Analyzing Network Traffic Using Network Monitor and Experts

In this exercise, you will use the SMS 2.0 version of Network Monitor and the Network Monitor Experts to analyze local network traffic. If the SMS Administrator console is not running, start it now.

  1. Select the Tools node from the SMS console tree.
  2. In the console tree, click Network Monitor. Then from the Action menu, choose All Tasks.
  3. A menu appears.

  4. Select Start Network Monitor.
  5. The Microsoft Network Monitor window appears.

In the following steps, you will add entries in the address database for the site server.

  1. Switch to the SMS Administrator console, then use the All Systems collection to determine the media access control address of the site server computer. This information is stored in the Resource Explorer if the site server has been inventoried. If it has not been inventoried, you obtain this information from the Network tab in Windows NT Diagnostics. Document the media access control address on the line below.

  2. Ping Computer 2 to determine its media access control address. At a command prompt, type ping Computer2 and then press ENTER.
  3. Type arp _g and then document Computer 2's media access control address on the line below.

  4. Switch back to Network Monitor.
  5. On the Capture menu, choose Addresses.
  6. The Address Database dialog box appears.

  7. Click Add.
  8. The Address Information dialog box appears.

  9. In the `Address' field, type the media access control address for Computer 2. Do not include the dashes between the numbers in the address.
  10. In the `Name' field, type COMPUTER2.
  11. If you are not running this exercise on an Ethernet network, change ETHERNET listed in the `Type' list box to the appropriate network type and then click OK.
  12. The Address Database dialog box appears displaying Computer 2's address.

  13. Under the `Name' column, select LOCAL with the address of the site server computer and a type of ETHERNET, then click Edit.
  14. The Address Information dialog box appears displaying the media access control address of the site server computer.

  15. In the `Name' box, type SERVER1, then click OK.
  16. The Address Database dialog box appears displaying both computer addresses.

  17. Click Save.
  18. The Save Addresses as dialog box appears.

  19. In the `File Name' field, type default and then click Save.
  20. The Save Addresses as message box appears indicating the file already exists, and prompts you to replace it.

  21. Click Yes.
  22. The Address Database dialog box appears.

  23. Click Close.

In the following steps, you will configure a capture filter to capture traffic between Computer 1 and Computer 2.

  1. On the Capture menu, choose Filter.
  2. The Capture Filter dialog box appears.

  3. Under '(Address Pairs),' select INCLUDE *ANY <--> *ANY, then click Edit.
  4. The Address Expression dialog box appears.

  5. Under 'Station 1,' select SERVER1 using the media access control address.
  6. Under 'Station 2,' select COMPUTER2.
  7. Under Direction, select <-->, then click OK.
  8. The Capture Filter dialog box appears. Notice under (Address Pairs) that the entries for the site server and Computer 2 appear.

  9. Click OK.
  10. The Network Monitor window appears.

In the following step, you will start a capture session.

  1. On the Capture menu, choose Start.
  2. The network capture is started. Notice data appears in the four Network Monitor panes.

In the following steps, you will generate network traffic for the capture session from Computer 2 and then answer questions based on the captured data.

  1. Logon to Computer 2 and start a command prompt.
  2. Type net view \\server1, then press ENTER.
  3. Close the command prompt window and return to Network Monitor running on Computer 1.
  4. On the Capture menu, choose Stop.
  5. The network capture is stopped. Notice the data that appears in the Network Monitor panes.

  6. On the Capture menu, choose Display Captured Data.
  7. The Microsoft Network Monitor — [Capture: 1 (Summary)] window appears displaying the traffic that was captured.

  8. On the Display menu, choose Colors.
  9. The Protocol Colors dialog box appears.

  10. Under 'Name,' select R_SRVSVC. Then under 'Foreground,' select the red bar.
  11. Click OK.
  12. All captured frames that are RPC calls to the server service are displayed in red.

  13. Under the `Description' column, search for RPC Client call srvsvc:NetrShareEnum(..).
  14. This is the client computer requesting the list of shared resources from the server.

  15. The next frame should appear with a description of RPC Server response srvsvc:NetrShareEnum(..).
  16. This is the server's response to the request for the list of shared resources.

  17. Double-click the server's response frame.
  18. The Microsoft Network Monitor _ [Capture: 1 (Summary)] window displays three panes.

  19. In the Detail pane (middle), expand Frame: Base frame properties.
  20. How large was the packet?

    Answer

  21. In the Detail pane (middle), expand IP: ID = value; Proto = TCP; Len: value.
  22. What is the source IP address?

    Answer

  23. In the Detail pane (middle), select R_SRVSVC: RPC Server response srvsvc:NetrSHareEnum(..).
  24. Answer

  25. In the Hex pane (bottom), scroll to find the list of share resources that are available on SERVER1.
  26. What shares were listed for SERVER1?

    Answer

  27. From the Summary pane (top), open the last frame of the capture. Then from the Detail pane (middle), expand STATS.
  28. What was the elapsed time of the capture?

    How many bytes were transmitted during the capture session?

    Were there any broadcast frames in the capture?

    Answer

In the following steps, you will save the capture session.

  1. On the File menu, choose Save As.
  2. The Save as dialog box appears.

  3. In the `File Name' field, type shares and then click Save.

In the following steps, you will use Network Monitor Experts to help analyze the captured data and answer questions from data provided by the experts.

  1. On the Tools menu, choose Experts.
  2. The Network Monitor Experts dialog box appears.

  3. Under 'Groups,' select Protocol Distribution, then click Add to Run List.
  4. Under 'Groups,' select Top Users. Then click Add to Run List.
  5. Click Run Experts.
  6. The Microsoft Network Monitor _ [Run 1: filepath\*.cap] window appears.

  7. From the Window menu, choose Cascade.
  8. The Expert Status View, [Run 1: filepath\*.cap], Capture: 1 (Detail), and the \ETHERNET\NET media access control address Capture Window (Station Stats) dialog boxes appear.

  9. Select Expert Status View window.
  10. Notice that all experts were 100 percent successful in completion.

  11. In the [Run 1: filepath\*.cap] window, notice the Protocol Distribution and Top Users tabs.
  12. Which protocol (other than FRAME or ETHERNET) generated the highest number of frames?

    Which protocol generated the highest number of bytes claimed?

    Answer

  13. Select the Top Users tab.
  14. Which address generated the highest number of frames?

    Which address generated the highest number of bytes?

    Answer

  15. On the File menu, choose Exit.
  16. If a Save Address Database? message box appears, click No.

Network Monitor closes.

Exercise 41: Configuring the Network Monitor Control Tool

In this exercise, you will configure a monitor for using the Network Monitor Control Tool that detects invalid IP address ranges. If the SMS Administrator console is not running, start it now.

  1. In the SMS console tree, expand the Tools node and select Network Monitor.
  2. On the Action menu, select All Tasks and then choose Start Network Monitor Control Tool.
  3. The Monitor Control Tool window appears displaying the available monitors for the local computer.

  4. Under 'Installed Monitors,' select IPRange Monitor, then click Enable.
  5. The Monitor is not configured message box appears, prompting you to configure the monitor now.

  6. Click Yes.
  7. The Configure IPRange Monitor dialog box appears displaying the list of valid and invalid IP addresses.

  8. Under 'Invalid Addresses,' type 128.1.2.1 in both the 'Source' and 'Destination' boxes.
  9. This is the IP address of Computer 2. While this is a valid address, you will have the monitor tell you it is invalid for testing.

  10. Click Set Monitor Configuration.
  11. A Security Alert message box appears, prompting you to send this information to the Internet zone.

  12. Click Yes.
  13. The Monitor Control Tool window appears with IPRange Monitor 1 under 'Enabled Monitors.'

  14. Under 'Enabled Monitors,' select IPRange Monitor 1, then click Start.
  15. Notice the IPRange Monitor 1 status has changed to Running.

In the following steps, you will access Computer 2 to cause the monitor to signal an event.

  1. Start a command prompt.
  2. Type ping 128.1.2.1 and then press ENTER.
  3. Close the command prompt window.
  4. The Monitor Event Viewer window appears, displaying all events that have been registered by running monitors.

    Notice the information presented indicating that the event is an invalid source address, showing which the computer that monitored the event, and presenting the offending addresses.

  5. In the third pane of the Monitor Events tab, read the IP Range monitor details.
  6. Close the Monitor Event Viewer window.
  7. The Monitor Control Tool window appears.

  8. In the Monitor Control Tool window, select the IPRange Monitor 1 under `Enabled Monitors' and then click Stop.
  9. On the File menu, click Exit.

Категории